GPM Personal - Corey Neskey - 1/25/20

Executive Summary

Background


  • The USB scenarios considered involve removing a security control that has been in place at Derp Corp since VirtualDerp was set up but enables personnel an easier method of file export.

  • The SuperCloud scenarios considered do not involve removal of security controls but affords a less convenient method of file export.

Scope

Scope Table
Assets at risk
Containers/Points of attack
Threat communities
Threat Types
Effects
Included Excluded Included Excluded Included Excluded Included Excluded Included Excluded
eNPI & FERPA Other DERP Neighbors on “32 AofA, 12th Fl. (Other Depts Medium)” (ODMNet) DERP AD Systems privileged insiders (DERP & Vendors) deliberately Mechanical confidentiality
TIS Secrets herp-p-cupmgmt “CU Server” on ODMNet DERP SMTP Systems non-privileged insiders (DERP & Vendors) accidentally Process Failure integrity
herp-p-cupins “CU Insights Server” on ODMNet DERP Networking and FW Systems malicious software Natural availability
herp-p-cupdc01 “CU Data Collector Server” on ODMNet DERP Vulnerability Scanner Systems external attackers
herp-p-cupmon SDC “CU Monitoring Server” on ODMNet DERP Vendor Access
herp-p-cupsql “SQL Insight Database” on ODMNet HERP Replicated DR Equivalent Systems
herp-prod-vc (esx Hypervisor) on ODMNet (agentless queries on 443) HERP Backup Systems
HERP TIS jump stations for administration on ODMNet HERP DFS Systems
XAs and XDs on SDC 32 AofA, 12th Fl. (HERP Citrix VDI network) HERP SEP Server
XAs and XDs on 75 Third Ave. (HERP Citrix VDI network) HERP LANDESK Server

scopedy scope scope

Next Steps The CIO of PIZZA CORP. Kitchen has requested that PIZZA CORP. Kitchen IT personnel provide the analyst with the following information after review of this report.

  • changes to scope as defined in Scope section of this report
  • controls from Recommendations section that will be implemented
  • subsequent review of the revised assessment inclusive of aforementioned changes and controls selected

  • All information collected, journaling of activities, FAIR factors, and probabilistic risk model representing these changes are retained in a Box folder shared with the PIZZA CORP. Kitchen CIO.

  • The remainder of this report outlines the analysis in more depth for reference, validation, and welcome scrutiny.

Analysis

Projection The net value after factoring in costs, benefits, losses, and mitigation costs over 1 year, 3 year, and 5 years.

Plan A Expected

Year 1 Year 2 Year 3
Benefits $415,445 $830,890 $1,246,335
Costs $57,462 $63,839 $70,217
Loss $644,584 $1,289,167 $1,933,751
Mitigation Costs $0 $0 $0
Prevented Loss $0 $0 $0
Net -$286,600 -$931,184 -$1,575,767

Plan B Expected

Year 1 Year 2 Year 3
Benefits $415,445 $830,890 $1,246,335
Costs $57,462 $63,839 $70,217
Loss $309,526 $619,052 $928,577
Mitigation Costs $6,230 $6,230 $6,230
Prevented Loss $335,058 $670,115 $1,005,173
Net $377,285 $402,817 -$576,824

Plan C Expected

Year 1 Year 2 Year 3
Benefits $415,445 $830,890 $1,246,335
Costs $57,462 $63,839 $70,217
Loss $197,321 $394,642 $591,963
Mitigation Costs $60,725 $60,725 $60,725
Prevented Loss $447,263 $894,525 $1,341,788
Net $547,200 $797,141 -$631,319

Benefits Parameters provided by experts to approximate benefits of this project


Benefits Table
Benefit UID Benefit Event Benefits Probability Benefits Lower Bound Benefits Most Likely Benefits Upper Bound Benefits Rationale Benefits Recurring_Ben
benefit-1 Virtual System Performance Monitoring - to anticipate and prevent outages 0.99 63476.56 182291.7 1718750 LB = .5 hrs of outages for 2k employees makign 75k+30%bens, ML = 1 hrs of outages 1.5k emps making 100k+30%bens, UB = 4 hrs outages 3k emps making 300k+30%bens, TRUE
benefit-2 Centralized Virtual System Control 0.50 30.00 2000.0 200000 Assumes Upper Bound is cost of one FTE. Not part of original use-case but may be used. TRUE

Costs Parameters provided by experts to approximate the costs of this project.


Costs Table
Known Costs UID Known Cost Event Known Costs Lower Bound Known Costs Most Likely Known Costs Upper Bound Known Costs Rationale Known Costs Recurring Expense
cost-1 CriticalUse direct purchase costs 19790.47 19790.47 19790.47 Actual Contract FALSE
cost-2 CriticalUse support and pro services 0.00 0.00 0.00 No Pro Services FALSE
cost-3 Internal setup and testing 1500.00 24000.00 72000.00 Wage-based - Sys Engineer x 2 - 1-12 week, ML 4 FALSE
cost-4 Internal initial security review 1500.00 2800.00 5600.00 Wage-based - Security Analyst x 1 FALSE
cost-5 Timeframe ongoing maintenance and SysAdmin 1500.00 3000.00 24000.00 Wage-based - Sys Engineer x 1 - 1 to 8 weeks ML 2 TRUE

Scenarios

Scenarios Table
UID Assets at risk Containers/Points of attack Threat communities Threat Types Effects Scenario
Risk-1 eNPI & FERPA DERP Neighbors on “32 AofA, 12th Fl. (Other Depts Medium)” (ODMNet) external attackers deliberately confidentiality external attackers deliberately impact the confidentiality of eNPI & FERPA through DERP Neighbors on “32 AofA, 12th Fl. (Other Depts Medium)” (ODMNet).
Risk-2 eNPI & FERPA herp-p-cupmgmt “CU Server” on ODMNet external attackers deliberately confidentiality external attackers deliberately impact the confidentiality of eNPI & FERPA through herp-p-cupmgmt “CU Server” on ODMNet.
Risk-3 eNPI & FERPA herp-p-cupins “CU Insights Server” on ODMNet external attackers deliberately confidentiality external attackers deliberately impact the confidentiality of eNPI & FERPA through herp-p-cupins “CU Insights Server” on ODMNet.
Risk-4 eNPI & FERPA herp-p-cupdc01 “CU Data Collector Server” on ODMNet external attackers deliberately confidentiality external attackers deliberately impact the confidentiality of eNPI & FERPA through herp-p-cupdc01 “CU Data Collector Server” on ODMNet.
Risk-5 eNPI & FERPA herp-p-cupmon SDC “CU Monitoring Server” on ODMNet external attackers deliberately confidentiality external attackers deliberately impact the confidentiality of eNPI & FERPA through herp-p-cupmon SDC “CU Monitoring Server” on ODMNet.
Risk-6 eNPI & FERPA herp-p-cupsql “SQL Insight Database” on ODMNet external attackers deliberately confidentiality external attackers deliberately impact the confidentiality of eNPI & FERPA through herp-p-cupsql “SQL Insight Database” on ODMNet.
Risk-7 eNPI & FERPA herp-prod-vc (esx Hypervisor) on ODMNet (agentless queries on 443) external attackers deliberately confidentiality external attackers deliberately impact the confidentiality of eNPI & FERPA through herp-prod-vc (esx Hypervisor) on ODMNet (agentless queries on 443).
Risk-8 eNPI & FERPA HERP TIS jump stations for administration on ODMNet external attackers deliberately confidentiality external attackers deliberately impact the confidentiality of eNPI & FERPA through HERP TIS jump stations for administration on ODMNet.
Risk-9 eNPI & FERPA XAs and XDs on 32 AofA, 12th Fl. (HERP Citrix VDI network) external attackers deliberately confidentiality external attackers deliberately impact the confidentiality of eNPI & FERPA through XAs and XDs on 32 AofA, 12th Fl. (HERP Citrix VDI network).
Risk-10 eNPI & FERPA XAs and XDs on 75 Third Ave. (HERP Citrix VDI network) external attackers deliberately confidentiality external attackers deliberately impact the confidentiality of eNPI & FERPA through XAs and XDs on 75 Third Ave. (HERP Citrix VDI network).
Risk-11 eNPI & FERPA DERP Neighbors on “32 AofA, 12th Fl. (Other Depts Medium)” (ODMNet) external attackers deliberately Integrity external attackers deliberately impact the Integrity of eNPI & FERPA through DERP Neighbors on “32 AofA, 12th Fl. (Other Depts Medium)” (ODMNet).
Risk-12 eNPI & FERPA herp-p-cupmgmt “CU Server” on ODMNet external attackers deliberately Integrity external attackers deliberately impact the Integrity of eNPI & FERPA through herp-p-cupmgmt “CU Server” on ODMNet.
Risk-13 eNPI & FERPA herp-p-cupins “CU Insights Server” on ODMNet external attackers deliberately Integrity external attackers deliberately impact the Integrity of eNPI & FERPA through herp-p-cupins “CU Insights Server” on ODMNet.
Risk-14 eNPI & FERPA herp-p-cupdc01 “CU Data Collector Server” on ODMNet external attackers deliberately Integrity external attackers deliberately impact the Integrity of eNPI & FERPA through herp-p-cupdc01 “CU Data Collector Server” on ODMNet.
Risk-15 eNPI & FERPA herp-p-cupmon SDC “CU Monitoring Server” on ODMNet external attackers deliberately Integrity external attackers deliberately impact the Integrity of eNPI & FERPA through herp-p-cupmon SDC “CU Monitoring Server” on ODMNet.
Risk-16 eNPI & FERPA herp-p-cupsql “SQL Insight Database” on ODMNet external attackers deliberately Integrity external attackers deliberately impact the Integrity of eNPI & FERPA through herp-p-cupsql “SQL Insight Database” on ODMNet.
Risk-17 eNPI & FERPA herp-prod-vc (esx Hypervisor) on ODMNet (agentless queries on 443) external attackers deliberately Integrity external attackers deliberately impact the Integrity of eNPI & FERPA through herp-prod-vc (esx Hypervisor) on ODMNet (agentless queries on 443).
Risk-18 eNPI & FERPA HERP TIS jump stations for administration on ODMNet external attackers deliberately Integrity external attackers deliberately impact the Integrity of eNPI & FERPA through HERP TIS jump stations for administration on ODMNet.
Risk-19 eNPI & FERPA XAs and XDs on 32 AofA, 12th Fl. (HERP Citrix VDI network) external attackers deliberately Integrity external attackers deliberately impact the Integrity of eNPI & FERPA through XAs and XDs on 32 AofA, 12th Fl. (HERP Citrix VDI network).
Risk-20 eNPI & FERPA XAs and XDs on 75 Third Ave. (HERP Citrix VDI network) external attackers deliberately Integrity external attackers deliberately impact the Integrity of eNPI & FERPA through XAs and XDs on 75 Third Ave. (HERP Citrix VDI network).
Risk-21 eNPI & FERPA DERP Neighbors on “32 AofA, 12th Fl. (Other Depts Medium)” (ODMNet) external attackers deliberately Availability external attackers deliberately impact the Availability of eNPI & FERPA through DERP Neighbors on “32 AofA, 12th Fl. (Other Depts Medium)” (ODMNet).
Risk-22 eNPI & FERPA herp-p-cupmgmt “CU Server” on ODMNet external attackers deliberately Availability external attackers deliberately impact the Availability of eNPI & FERPA through herp-p-cupmgmt “CU Server” on ODMNet.
Risk-23 eNPI & FERPA herp-p-cupins “CU Insights Server” on ODMNet external attackers deliberately Availability external attackers deliberately impact the Availability of eNPI & FERPA through herp-p-cupins “CU Insights Server” on ODMNet.
Risk-24 eNPI & FERPA herp-p-cupdc01 “CU Data Collector Server” on ODMNet external attackers deliberately Availability external attackers deliberately impact the Availability of eNPI & FERPA through herp-p-cupdc01 “CU Data Collector Server” on ODMNet.

  • nn scenarios were generated by exausting…
  • nn were disregarded.

ECDF


ECDF…

Density


Density…

Violin


Violin…

Swarm


Swarm…

Box


Box…

Ridge


Ridge